NodeZero Deployment Options

BLUF: Where you setup your NodeZero host—your operation launch point—matters.

Before setting up your NodeZero host, you need to decide what you want to learn from the operation. The following are a few options you may find helpful in making this decision.

deploy0.png

1 – Inside Custom Scope

  • If you want to limit the scope and see what an attacker could exploit from inside that defined range, you’d place the NodeZero host within the scope you want to test.

deploy2.png

When you setup the scope for your Pen Test, just make sure the NodeZero host is within one of the specified CIDR range(s) for the test.

PRO TIP: ensure a Domain Controller is in-scope as well, and NodeZero will attempt to exploit any vulnerabilities or misconfigurations on this host, as well as verify weak domain defaults & credentials

This is your high-speed assessment; enabling a lean Find-Fix-Verify loop to initiate an agile security posture

deploy3.png

2 – Outside Custom Scope

  • But if you wanted an “outside-in” perspective to see if an attacker could access critical data and assets inside a specific scope, you’d place the NodeZero host outside the scope you want to test.

deploy5.png

When you setup the scope for your Pen Test, just make sure the NodeZero host is NOT within the specified CIDR range(s) for the test.

NOTE: When NodeZero is not in the same IP range as the scope, it will not execute Man-In-The-Middle and pass-the-hash attacks

This is your unrestricted assessment; providing true insight into what is accessible, valuable, and vulnerable from any starting point

deploy5.png

3 – Endpoints Only Scope

  • Once in a while you may just want to quickly verify if the vulnerability you just remediated had the effect you desired. In this case, you can select a single host or range of hosts by /32s

When you setup the scope for your Pen Test, just make sure the NodeZero host has access to the specific host identified by the /32 CIDR range(s) for the test.

deploy30.png

When you setup the scope for your Pen Test, just make sure the NodeZero host is NOT within the specified CIDR range(s) for the test.

*NOTE: Just as with #2, when NodeZero is not in the same IP range as the scope, it will not execute Man-In-The-Middle and pass-the-hash attacks. Further, with this restricted scope, NodeZero will not chain weaknesses nor paths as you have limited the scope to a specific endpoint for this assessment

This is your restricted assessment; a quick turnaround op to verify your fix-action was implemented and a vulnerability is now presenting less severity to your attack surface

deploy31.png

4 – Intelligent Scope

  • Let’s say you wanted to see what an uncredentialed attacker could enumerate and exploit from a specific starting point in your network – a true “black box” pen test – this calls for Intelligent Scope

deploy7.png

When you setup the scope for your pen test, leave “Include” box blank. NodeZero’s host subnet will provide the initial scope and it will expand organically during the pen test as more hosts and subnets are discovered…just like an attacker would.

This is your proactive assessment; providing true insight into what is accessible, valuable, and vulnerable from any starting point

deploy8.png

5 – All Private IP Scope (i.e., RFC 1918)

  • And when you’re really ready to roll, you’ll love the ability to run an RFC 1918 full private scope pen test, enumerating everything accessible quickly and safely.

deploy10.png

Just select the “Use RFC 1918” box and NodeZero will take care of the rest. As always, you can Exclude any IP addresses or ranges from this and any operation.

NOTE: This op may take a bit longer as NodeZero enumerates any IPs and DNS names it can access…including edge routers; if yours are misconfigured for routing private IPs, NodeZero may attempt to enumerate those external private IPs.

PRO TIP: if you really want to see EVERYTHING, put NodeZero in an unrestricted ACL so it can discover every nook and cranny online in your environment

This is your unrestricted and holistic enterprise assessment–and should be run regularly

deploy11.png

6 – OSINT

  • Available with any of pen test operation is our Open-Source Intelligence (OSINT) assessment, where NodeZero will gather publicly available information to use as part of the pen test.

deploy13.png

The second step of configuring your pen test offers you the ability to take a true external perspective; your company name will be auto-filled for you, and you can provide TLDs and weak password terms you’d like NodeZero to test with any discovered information.

NOTE: NodeZero’s OSINT gathering operates outside your environment so NodeZero placement isn’t as critical…however, when combined with an internal op with a domain controller in-scope, NodeZero will verify domain users and passwords with those found publicly giving your further insight into your attack surface risk.

This is your external reconnaissance capability to see what attacker’s see and use to start their campaigns and establish a foothold in your environment

deploy14.png

Use this table as a reference for all your Automated Pen Test operations!

deploy15.png